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ABSTRACT 



A method and apparatus for cryptographically converting a 
digital input data block into a digital output data block. The 
apparatus has an input for supplying the input data block and 
a further input for supplying a code conversion digital key 
Kl. Cryptographic processing merges a selected part Ml of 
the digital input data block with the key Kl to produce a data 
block Bl which is non-Hnearly dependent on Ml and Kl. 
The merging is performed in one sequentially inseparable 
step. The digital output block is derived from a selected part 
of the data block Bl. 

10 Claims, 6 Drawing Sheets 
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CRYPTOGRAPHIC METHOD AND 
APPARATUS FOR NON LINEARLY 
MERGING A DATA BLOCK AND A KEY 

BACKGROUND OF THE INVENTION 

CROSS REFERENCE TO RELATED 
APPLICATIONS 

1. Field of the Invention 

The invention relates to a method for converting a digital 
input block into a digital output block; said conversion 
comprising the step of merging a selected part Ml of the 
digital input block with a first key Kl and producing a data 
block Bl which non-linearly depends on the selected part 
Ml and the first key Kl, and where a selected part of the 
digital output block is derived from the data block Bl. 

The invention further relates to an apparatus for crypto- 
graphically converting a digital input block into a digital 
output block; the apparatus comprising first input means for 
supplying the digital input block; second input means for 
supplying a first key Kl; cryptographic processing means 
for converting the digital input block into the digital oulpnt 
block; such conversion comprising merging a selected part 
Ml of the digital input block with the first key Kl and 
producing a data block Bl which non-linearly depends on 
the selected part Ml and the first key Kl, and where a 
selected part of the digital output block is derived from the 
data block Bl; and output means for outputting the digital 
output block. 

2. Description of the Related Art 

The Data Encryption Standard (DES) of the National 
Bureau of Standard [FIPS publication 46, Jan. 15, 1977] 
describes a widely used algorithm for converting a digital 
input block into a digital output block. Such an algorithm is 
generally referred to as a block cipher. The DES algorithm 
is used for encrypting (enciphering) and decrypting 
(deciphering) binary coded information. Encrypting con- 
verts intelligible data, referred to as plaintext, into an 
unintelligible form, referred to as ciphertext. Decrypting the 
ciphcrtext converts the data back to its original form. In the 
so-called electronic code book mode, DES is used to encrypt 
blocks of 64 bits of plaintext into corresponding blocks of 64 
bits of ciphertext. In this mode, the encryption uses keys 
which are derived from a 64 bit key, of which 56 bits may 
be freely selected. FIG. 1 shows the overall structure of DES 
during encrypting. In the encrypting computation, the input 
(64 bit plaintext) is first permuted using a 64 bit fixed 
permutation IP. The result is split into 32 left bits Lq and 32 
right bits Rq. The right bits are transformed using a cipher 
function f(Ro,Ki), where Kj is a sub -key. The result f(Ro, 
Kj) is added (bit-wise modulo 2) to the left bits, followed by 
interchanging the two resulting 32 bit blocks Lq © f(Ro,Ki) 
and Rq. This procedure is continued iteratively for a total of 
16 rounds. At the end of the last round the inverse permu- 
tation of the initial permutation IP is applied. 

In the calculation of f(R,-,K^^j) the 32 right bits R, are first 
expanded to 48 bits in the box E, as illustrated in FIG. 2. 
According to a given table this expansion is performed by 
taking some input bits twice as an output bit and others only 
once. Then, the expanded AS bits are added (bit-wise modulo 
2) to the 48 key bits K^-. The resulting 48 bits are split into 
8 groups of 6 bits each. Each of these groups is processed by 
an S box (S^, which reduces the 6 bits to 4 bits in a 
non- linear operation. The eight S^ boxes are given in the 
form of a table. The total output is 32 bits, which is permuted 
in the box P. P is also given in the form of a table. 
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FIG. 3 illustrates the key schedule calculation. The key 
consists of 64 bits, of which only 56 are used in the 
algorithm. Those 56 bits should be chosen randomly. Eight 
complementing error detecting bits are used to make the 

5 parity of each byte of the key odd. The selection of the 56 
bits is performed in box PCI, together with a permutation. 
The result is split into two 28 bit words Cq and Dq. To obtain 
the 48 key bits for each round, first the words Cq and Dq are 
left shifted once or twice. A selection and a permutation PC2 | 

10 are then appUed to the result. The output of PC2 is the 48 bit | 
sub-key K,- which is used in f(Ro,Kj).UTic process of shifting, j 
selecting and permutating is repeated to generate a sub -key I 
for each roundlA table specifies how many shifts must be 
performed to obtain the next 48 bits of the sub -key for the 

15 following round. 

The same algorithm and key can be used for decrypting a 
ciphertext. The initial permutation for the decrypting cancels 
the inverse permutation of the encrypting. Each round 
consists of a, so-caUed, Feistel cipher. It is well-known that 

20 for Feistel-ciphers the inverse operation consists of using the 
same rounds as used for encrypting but applying the sub- 
keys in inverse order. As such, the first decrypting round 
must be supplied with the same sub-key as used for the 
sixteenth encrypting round, the second decrypting round 

25 must be supplied with the same sub-key as used for the 
fifteenth encrypting round, etc. It is also well-known how 
the DES algorithm can be used in other encryption modes, 
such as the cipher feedback mode. In this mode, the DES 
algorithm is used to generate a stream of statistically random 

30 binary bits, which are combined with the plaintext, using, for 
instance, an exclusive-or logic operation. 

The DES algorithm, in essence, comprises an initial 
permutation, followed by sixteen key-dependent computa- 
tions on part of the data and terminated with an inverse 
permutation. Each key dependent computation comprises 
adding (module 2) key-dependent bits to the data part, 
followed by a non-linear operation on sub -blocks of the data 
part, and terminated by a permutation (linear operation) of 
the data part. 

40 

In general, DES is considered to be a good encryption/ 
decryption tool. It is, however, an open question whether or 
not DES has remained secure over the past years, particu- 
larly in view of the recent very powerful differential cryp- 
lanalylic attacks. 

SUMMARY OF THE INVENTION 

It is an object of the invention to provide a cryptographic 
method and apparatus of the kind set forth which is more 

50 robust against cryptanalytic attacks. 

To achieve this object, the cryptographic method accord- 
ing to the invention is characterised in that the step of 
emeriging the data and the key is performed by executing a 
non-linear function g for non-linearly merging said selected 

55 part Ml of the data and said first key Kl in one, sequentially 
inseparable step. In the DES system, as shown in FIG. 2, in 
a first processing step the R data is bit-wise added to the key, 
followed by a second processing step of non-linearly pro- 
cessing the result (S-boxes). According to the invention, an 

60 algorithm is iised which non-linearly merges data with a key 
in one step (i.e. one, sequentially inseparable step). As such, 
adding the key bits to the data is an integrated part of the 
non-linear operation, making the system more immune 
against modem attacks, such as differential cryptanalysis. 

65 In an embodiment of the method according to the 
invention, in each round both parts of the digital input block 
are processed, giving a better encryption result than for 
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conventional Feistel ciphers, such as DES, where during An embodiment of the method according to the invention 

each round only half of the digital input block is being is characterised in that said first key Kl comprises 64 data 

processed. To ensure that the same system can be used for bits and wherein each of said sub-keys k^- comprises eight 

both encryption and decryption, one part of the data is data bits. By using a large key the quality of the encryption 

processed using an operation g, whereas the other half is 5 is increased. 

processed using the inverse operation g-\ Using this jq achieve the object of the invention, the apparatus 

scheme, decrypting is performed by usmg the same system according to the invention is characterised in that said 

but supplying the keys in reverse order to the rounds (during cryptographic processing means is arranged to perform said 

decryption the first non-linear step is suppUed with the key merging by executing a non-linear function g for non- 

which, during encryption, was supplied to the last non-linear lO hneariy merging said selected part Ml and said first key Kl 

step, etc ), Compared to a conventional implementation of a jn one, sequentially inseparable step. 

Feistel cipher with twice as many rounds, the system accord- ^^^^ ^^^^^ ^ .^^^^^^^ ^. jj 

ing to the invention is taster. ^^^^ elucidated with reference to the embodiments 

The measure of splitting a relatively large data block and shown in the drawings, 

key, of for instance 64 bits, into smaller sub-blocks and ^5 

sub-keys simplifies real-time non-linear processing. BRIEF DESCRIPTION OF THE DRAWINGS 

In an embodiment of the method according to the piG. 1 shows the processing steps for the DES system, 

invention, a constant is used to enhance the quality of the -i-n*. c • .u^. 

, , * *• j/ • J FIG. 2 illustrates details of merging the data with the key 

encryption. Advantageously, the constant is predetermined , i* • t-wT-o 

, c • r ■ \ . n 20 and the non-linear operation in DES, 

per system, lorming, for instance, a customer-specific con- t-,^ -.i 

stant. Alternatively, the constant is generated using a FIG. 3 illustrates details of the key calculation in DES, 

pseudo-random generator. F^G. 4 shows a block diagram of the cryptographic 

Tlie invention provides a way for non-lineariy merging apparatus of the invention, 

the data sub-block and the sub-key in one step. Additionally, ^ K^^'.^ illustrates separate processing of two parts of the 

different inputs all result in different outputs. This increases digital input block, 

the immunity of the system against cryplanalylic attacks, FIG. 6 illustrates processing of a part of the digital input 

compared to DES where the non-Linear operation reduces block in the form of sub-blocks, 

the 6-bit input sub-block to a 4-bit output sub-block, imply- FIG. 7 illustrates processing of two parts in the form of 

ing that the same output is produced for four different inputs. sub -blocks, and 

In an embodiment of the method according to the inven- FIG. 8 shows an overall encryption system, 
tion a constant is used to enhance the quality of the encryp- 
tion. Advantageously, the constant is predetermined per DESCRIPTION OF THE PREFERRED 
system, forming, for instance, a customer-specific constant. EMBODIMENTS 
Alternatively, the constant is generated using a pseudo- 35 FIG. 4 shows a block diagram of the cryptographic 
random generator. apparatus 400 according to the invention. For the purpose of 

In an embodiment of the method according to the inven- explaining the invention, the system is described in the 

tion individual sub -blocks corresponding to different parts of electronic code book mode. Persons skilled in the art will be 

the digital input block are swapped to improve the quality of able to use the system in other modes as well. The apparatus 

the encryption. 40 400 comprises first input means 410 for providing a digital 

Preferably, the sub-block m^ comprises eight data bits. inP^* block M. The digital input block M may be any 

This further improves the quahty of the non-linear operation ^"^^^^1^ ^^^e. Preferably, M is sufficienUy large, for instance 

compared to DES, where the non-linear operation converts ^^S bits, to obtam a reasonably secure encryption result. The 

six to four bits apparatus 400 further comprises cryptographic processing 

... . J. . L *u J * c J • *u 45 means 420 for converting the digital input block into a 

Another embodiment has the advantage of reducing the , ..,11 a j . . , 

multiplication in GF(2«) to operations in GF(2^), making it ^l^""' blodc Advantageously, the digital output 

•i. , . . 1 . rc !• • t block has substantially equal length as the digital input 

possible to achieve a simpler or more cost-effective imple- 1 . Atxr^ • . . A^^i^r 

mentation block. The apparatus 400 comprises output means 430 for 

^ \ ^^,„ft. , , , outputting the digital output block. Basically, the crypto- 

• Til'jir^'''" """^ 50 graphic processing means 420 converts the digital input 

tions m GF(2 ). ^^^^y^ ^ -^^q ^^^p^^ ^^^^y^ merging a selected 

An embodiment of the method according to the invention part Ml of the digital input block M with a first key Kl, 

is characterised in that p is a root of an irreducible polyno- producing a data block Bl which non-linearly depends on 

mial h(x)«x +x +x +x+l over GF(2). This is a preferred Ml and Kl. The merging is performed in one, sequentially 

choice for p, allowing the use of the so-called shifted 55 inseparable step. The digital output block is derived from Bl 

polynomial base. and the remaining part of M, which is not part of Ml. To 

An embodiment of the method according to the invention obtain the first key Kl, the cryptographic apparatus 400 

is characterised in that calculating the inverse of an element comprises second input block 440. As will be described in 

of GF(2^ comprises performing a series of calculations in more details below, a second part M2 of the digital input 

GF(2'^). By reducing the inverse operation in GF(2^ to go block may be non-hneariy merged with a second key K2, 

operations in GV{2^) a simpler or more -cost effective imple- preferably, using an operation inverse to the operation for 

mentation can be achieved. merging Ml and Kl, producing a data block B2. In this case. 

An embodiment of the method according to the invention the digital output block also depends on B2. To obtain the 

is characterised in that calculating the inverse of said ele- second key K2, the cryptographic apparatus 400 comprises 

ment b comprises calculating (ao^+aoa^+ai^p)'^((ao+aj+ 65 third input block 450. 

a^D). This is an effective way of reducing the inverse It will be appreciated that the cryptographic apparatus 400 

operation in GF(2^) to operations in GF(2'*). may be implemented using a conventional computer, such as 
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a PC, or using a dedicated encryption/decryption device. embodiment the same as the function h) is defined as follows 
The digital input block may be obtained in various ways, for j=0 . . . 7: 
such as via a communication network, from a data storage 

medium, such as a harddisk or floppy disk, or directly being h{bj, Uj) = (bj kjy^ if bj * 0. kj * 0, bj i^kj i- 

entered by a user. Similarly, the digital output block may be 5 

output in various ways, such as via a communication (^y)"^. if = 0 

network, stored on a data storage medium, or displayed to a ^-2 if jt - o 

user. Preferably, secure means are used to this end. The ' 
cryptographic processing means 420 may be a conventional *j = 

processor, such as for instance used in personal computers, lo 
but may also be a dedicated cryptographic processor The 
cryptographic apparatus 400 may, in part or in whole, be 

implemented on a smart-card. Similarly, in its basic form the inverse cipher function f"^ 

Details of the cryptographic conversion process will be two inputs m^- and ky and one output t^ as also illustrated 

described for encrypting blocks of 128 bits of plaintext into ^5 in FIGS. 6 and 7, where t,.=r\my, k^), for j=8 to 15. The 
corresponding blocks of 128 bits of ciphertext. Persons inverse cipher function f"^ involves also one operation, 
skilled in the art will be able to use the system for other h'^b^. k^) with an output of substantially equal si2e as by. 
block sizes as well. Data sizes shown in the Figures are The function h"^ is the inverse of h. As before, by«my in the 
given for reasons of clarity and should be treated as basic form of the cipher function f"^ The function f"^ (in 
examples only. The description focuses on the non-linear 20 embodiment the same as the functions h"^) is defined as 
processing of the data and the merging of the key with the follows for j=8 . . . 15: 
data as performed in one round. As such the invention can 

be applied in a system as shown in FIG. 1, comprising h-\byk^)= {bj-kjr\ if ft^*o. )t;#o.and bj-k^i:i i. 

multiple rounds and also including a linear operation on the 

data block in each round. ^ ^J^ = ^ 

As shown in FIG. 5, the message block M of 128 bits is (6J^^/^ if jfe^ = o 

divided into a first part Ml and a second part M2 (a left and ^ 
a right block). Preferably, both parts are of equal size, 64 ^' ^^'^j " ^ 

bits. It will be appreciated that Ml and M2 may also be 
derived from M using a more complicated selection process. 
Ml is processed using a non-linear function g. In principle, 

it is not required to process M2 during the same round. 1° » further embodiment, the outputs t, of the cipher 

Advantageously, M2 is processed in the same round using functions f (ty=f(my, ky), for j^O to 7) and the outputs of the 
the inverse function g"V Each of the functions g and g"^ inverse cipher function (ty=r\my, ky), for j=8 to 15) are 
non- linearly merges, Ml or, respectively, M2 with a key Kl swapped in the following manner: ty<->ti5,y for j=0 to 7. This 
or, respectively K2. Preferably, the data parts and the keys is illustrated in FIG. 7. 
have the same size. Since it is difficult to implement a good 

Don-lincar operation on a large data block and non-lincarly ^ j^^^j,^^ embodiment, a constant is added (bit-wise 

Mi"^ !, Mf n f ''km' v'^m^'"!',. « module 2) to each data sub-block m, before executing the 

parts Ml and M2 arc split mto sub-blocks. FIG. 6 illustrates a u ^ ui ■ • ^ ' ^ 

this for Ml. FIG. 7 illustrates the splitting of Ml and M2. ^T^'^'J!' t"' '^'^"'^""^^ P> 

Using 64-bit data parts Ml and M2, advantageously, the ' ' ' ^"^^ ^^^^ ^^^"^ added to the correspondmg 

parts arc each split into eight 8-bit elements, where Ml=(mo, sub-block my. The same function h is used as before, 

m^, . . . , m^) and M2=(me, m^, . , . , m.sY The two keys Kl opcratmg on b-m^ep,- The cipher function f is now 

and K2 may be derived from a larger key, for instance, by ^^^^^^ ^ follows: 
splitting a 128 bit key into two 64-bit keys Kl and K2. The 
two keys Kl and K2 may be split further. Using 64-bit keys, i. bj-=my0py 

advantageously, each key is split into 8-bit sub-keys, giving 

a total of sixteen 8-bit sub-keys k^, j=0 . . . 15. Each of the ^^f^^^ ^.^ ^ ^^,,,^,yi^ ^ . ^ q, kj * 0, bj ^ kj 2. 

sub-keys ky is associated with the corresponding sub-block 

my. Each sub-block is processed separately. Preferably, the if bj = 0 

sub -blocks are processed in parallel. If preferred, the sub- 
blocks relating to one round may also be serially processed. 



ibjy\ if kj 



The first group of sub-blocks, forming Ml, are each pro- 0* if 
cessed by a cipher function f. The second group of sub- 
blocks are each processed by the inverse function f"^ 

For the cryptographic operations, an n-bit sub-block or Similarly, for the inverse cipher function ^^ also a constant 

sub-key is considered to represent an element of GF(2'') added (bit-wise module 2) to each data sub-block m,. To 

(Galois Field). All operations are, therefore, in GF(2"). ^Uow the inverse function ^^ to be used to decrypt text 

In its basic form, the cipher function f has two inputs m^ encrypted using the cipher function f, the constant is added 

and ky and one output ty as also illustrated in FIGS. 6 and 7, after the function h. Preferably, the same eight independent 

where ty=f(my, ky), for j=0 to 7. In the basic form, the cipher constants py (j=0 . . . 7) are used as used for the cipher 

function f involves one operation h(by, ky) with an output of function f. Now, the constants py are being added to the 
substantially equal size as by. The function h has a data 65 15-j-th stream (j=0 . . . 7). As a consequence, the inverse 

sub-block by and a sub-key ky as input, where by=my for the cipher function involves the following two operations 

basic form of the cipher function f. The function f (in this (j=8 . . . 15): 
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h{bj, kj) = ibj • kj)-\ if bj 1 0. kj t 0, bj t kj 

(fcy)-^ if = 0 

0, if bj = kj 



20 



25 



3. V=h(b, ky)0d^- 

Similarly, tor the inverse cipher function also a constant 
is added (bit- wise module 2) to each data sub -block m^. To 
allow the inverse function to be used to decrypt text 
encrypted \ising the cipher function f, the constant is added 
before executing the function h. Preferably, the same eight 
independent constants dy (j-0 . . . 7) are used as used for the 
cipher function f . Now, the constants dy are being added to 
the 15-j-th stream (j-0 . . . 7). The same function h"^ is used 
as before, now operating on by=m^-©dj5_y. As a consequence, 
the inverse cipher function involves the following three 
operations (j=8 , . . 15): 
1. b~my©di5,y. 

h-\bykj) = ibj'kjr\ if bj * 0, kj :^ 0, and bj-kj * 1 2. 

kj, if bj = 0 

ibj)-^^, if Jk; = 0 

0. iibj'k)^i 



35 



40 



45 



3. t-h-^by . ky)©p,3.y 
Finally, t^ and i^^^j are swapped Q<=0 ... 7). 
It will be appreciated that it is also possible to use the 
constants dy without using constants p^. 

In a further embodiment, the cipher function f raises the 
outcome of the function h to a power of two. The same 
function b is used as before. The cipher function f is now 
defined as follows: 



55 



1. b~myC 



h[bj,kj)= {bj-kjr\ if bji^O, kji^Q, bji^kj 



ikjr 
{bjr 
0, 



if bj = 0 
if kj - 0 
ifbj^kj 



3. sy=h(b,, k/ 

4. tyos^ady 



65 



8 



h-^ {bj ■ kj) = {bj • kj)-^ , if bj ^ 0, kj ^ 0, and bj • * 1 1 • 

kj, if bj = 0 

(bj)''^, iffc;=0 5 

0, if6rfe^ = l 



2. i,=h-'(b; . yep,,., 

Fmally, t and 1,5.^ are swapped (j=0 ... 7). 

In a nirther embodiment, a further constant is added 
(bit- wise modiile 2) to each data sub -block m^ after execut- 
ing the function h. Preferably, eight independent constants dy 
(j-O . . , 7) are used, each being added to the corresponding 
data sub-block m^. The same function h is used as before. 15 
The cipher function f is now defined as follows: 

1. by=my©Py 



Similarly, the inverse cipher function also raises a data 
sub -block to a power of 2. To allow the inverse function 
to be used to decrypt text encrypted using the cipher function 
f, the additional operation is performed before executing the 
function h. The same function h~^ is used as before, now 
operating on b^j=my©dj5.y. As a consequence, the inverse 
cipher function f^^ involves the following four operations 
0=8 .. . 15): 

1. qy'=m^-©di5.y 

2. by=q/tG-7) 

{bj ■ kj) = {bj . kj)-^ , if bj ^ 0, kj ^ 0, and bj ■k'jtl 2. 

kj, if bj = 0 

{bj)-'^\ iffc;=0 

0, iffc;.Jt) = l 



3. t-h-^(by . ky)©pj3.y 

Finally, ty and tjj.y are swapped (j=0 ... 7). It will be 
appreciated that it is also possible to use the operation of 
raising to a power of 2 without using one or both of the 
constants dy and py. 

For decrypting the same algorithm is used as for 
encrypting, but the sub-keys are swapped: instead of ky, k^j.y 
is used, j=0 ... 15. 
The multiplication in GF(2®) 

In principle, for the invention any multiplication in 
GF(2^ may be used. An example of a VLSI implementation 
of multiplications in GF(2'") is given in [P. A. Scott, "A fast 
VLSI multiplier for GF(2'")", IEEE Journal on selected 
areas in communications, Vol. SAC-4, No. 1, January 1986, 
pages 62-66], Advantageously, the following mechanism is 
used to reduce the multiplication in GF(2^ to a series of 
multiplications and additions in GF(2'^). As is known in the 
art, in finite fields with a characteristic of 2 (e.g. GF(2")) and 
the Galois field represented in binary arithmetic, the sub- 
traction operation (i.e. the inverse of addition) is the same as 
the addition operation. For convenience, the symbol is 
used herein for this addition/subtraction operation, although 
a symbol may be equivalently substituted for ease of 
understanding, as required. 

Let in GF(2'*), P be the non-trivial root of p^-l (non- 
trivial means p^l, or, equally, p is the root of the irreducible 
polynomial h(x)-x'*+x^+x^+x+l over GF(2), since: x^-1- 
(x-1) (x^'+x^+x^+x+l)). The normal base p, p^, p^ p® is 
taken as the base in GF(2'*). Since according to the polyno- 
mial p®-p^, this is the same as the so-called shifted poly- 
nomial base: p, p^ p^, p^. 

Let D be an element of GF(2®), defined as a root of the 
irreducible polynomial k(x)-x^+x+p over GF(2'*). Every 
element of GF(2^) can be represented as ao+aj.D, with 
and a J being elements of GF(2'*). In binary terminology, the 
number b of GF(2®) can be represented using eight bits, 
arranged as a vector (a©, aj, with a^, a^ having four bits, 
representing numbers of GF(2'*). As such, the base in GF(2®) 
is: p, p^ p^ p\ DP, DP^ Dp^ Dpr Two elements b and c 
of GF(2®), represented as b-ao+aj-D and c-a^+ag.D, with 
a-€GF(2''), can be multiplied as follows: 

b.c«(ao-»-ai.D).(a2-i-a3.D)=aoa2+(aia2+aoa3).D+aja3.D^. 
Using the fact that D is a root of k(x), which implies that: 
D^«D-»-p, this gives the multiplication result: 

b ■c=(aoa2+a3a3p)+(a J ^2+^0^3-^^ 1^3) ^ ■ 
This has reduced the multiplication of two elements of 
GF(2®) to a series of multiplications and additions in GF(2'^). 
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The inverse in GF(2^ 

In principle any known method may be used to calculate 
the inverse of an element in GF(2^). Advantageously, if the 
previous method has been used to reduce the multiplication 
in GF(2^) to a multiplication in GF(2'*), then the following 
method is used to reduce the inverse operation in GF(2^ to 
an inverse operation in GF(2'^). 

The inverse b~^ of an element b in GF(2®), where b is 
represented as b=ao^+a^.D, with a^^GF(2'^), is given by: 

b"^=(ao^+aoai+aj^p)"\(ao+ai+aiD), since: 

'b^ial+aoai +a]fSf^ -(00 + ai + aiD)- (ao + ai D) 

and since D^+D=p, this gives: b"Vb=l. 

In this way the inverse operation in GF(2®) is reduced to an 

inverse operation in GF(2'*) and a series of multiplications 

and additions in GF(2''). 

Multiplication in GF(2^) 

In principle, any multiplication in GF(2'*) may be used. 
Advantageously, as described before, the shifted polynomial 
base p, p^, p^ is taken as the base in GF(2^), where p is 
the root of the irreducible polynomial h(x)=x'*+x^+x^+x+l 
over GF(2), and p^-1 in GF(2'*). Since p is a root of h, this 
implies: 

P'*+p'^+p^+p=l. Assuming that the base elements are 
named e^, Cj, and 64, with c«p*, the base elements 
arc multiplied in the following way, using the definition 
of P: 

e,.e,«p.p=p^=e2 

ei.e,=p.p^«P^=e3 

ei,e3=p.p^=P'^=e4 

e2.e4=p.p^=l=e3+e2+e3+e4 

e,.e,=P^.p^=P^=e4 

e2.e4«P^.p^=P^=P=e, 

e3-e3=P'P'=P'=P=e, 

e3.e4«P^.p^=P^=.p^=e3 

e4.e,=prp^=P«=P^=e3 
TTiis in principle defines the multiplication in GF(2'*). In 
binary terms the multiplication can be seen as follows. With 
respect to the base, each element b in GF(2*^) can be 
represented as b=boej+bie2+b2e3+b3e4, with b^ eGF(2). As 
such, the element b can be represented by a 4-dimensional 
vector with binary components (bo, b^, b2, bj). On a micro- 
processor this can be represented using a nibble. In binary 
terms, the multiplication of two elements b and c in GF(2'*) 
can be seen as follows, assuming the two elements are 
represented by b=(bo, b^, b^, b^) and c=(cp, Cj, c^, C3). 
Multiplying the two elements in the normal way gives: 

b'C = ibQCo)^^ + ihQCi ^bico)/? 4-{bQCi + biCi +i>2Co)^ + 

ib2Ci+b^C2)0' + {b3C^)/^ 

Using the definition of P to replace P^ by P'*+P^+p^+p, P** by 
p, p^ by p^, and p^ by p^, gives the following four compo- 
nents: 

b.c=(bjC3+b2C2+b3Ci+boC3+bjC2+b2Ci+b3Co)p+(boCQ+ 
b2C3+b3C2+bQC3+bjC2+b2Cj+b3Co)p^+(boCi+bjCo+ 

t'3C3+bQC3+bjC2+b2Ci+b3Co)P^+(boC2+biCj+b2CQboC3 + 

biC2+b2C,+b3Co)p'* 
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The result of the multiplication, in binary terms, is, 
therefore, given by: 

fr'C = (frjC3 +£'2C2 + byC] +boC'i +biC2 + i^jCi +^Co, 

5 

boCQ +■ b^C}, + b'>,ci + b^ci + fricj + bici + 6jCo, 

AqCi +i?3C3 +*oC3 -^biCi+biCi +£)3Co. 

hc2 + ^1 ci + biCQ + £»oCj + fri C2 + bl c\ + byca ) 

10 

Inverse operation in GF(2'') 

Using the normal base p, p^ p"*, p®, each element x of 
GF(2'') can be written as b-a.p+b.p^+c.p Vd.p^, with a, b, c, 
d € GF(2). As such, each element can be represented by a 
15 4-dimensional vector (a, b, c, d). 

In order to obtain the inverse of b (b"^): 

calculate the following intermediate results: ab, aH, ab, be, 
be, be, ed, cd, cd, da, da, da, where ab is the binary 
AND of a and b (a AND b) and a is the binary 
20 complement of a (NOT a), calculate the first bit of b~^ 
by using cd cd, cH, ab, be, and 3a as follows: (cd) OR 
(a AND c3) OR (cd AND ab) OR (be AND 3a) 
calculate the second bit of b"^ by using da, 3a, da. He, 
e3, ab as follows: (da) OR (BAND da) OR (3a AND Be) 
25 OR (e3 AND ab) calculate the third bit of b"^ by using 
ab ab, ab, cd, da, Be as follows: (ab) OR (c AND aB) OR 
(ab AND cd) OR (da AND Be) calculate the fourth bit 
of b"^ by using bcBc, be, 3a, aB, cd as follows: (be) OR 
(3 AND bE) OR (Be AND 3a) OR (aB AND cd) 
30 Besides being used in a DES-like system as shown in FIG. 
1, a dedicated system can be built around the non-linear 
algorithm of the invention. Such a system is shown in FIG. 
8. In this system, the blocks are processed using the non- 
hnear operation NL of the invention and a linear operation 
35 LIN. The first step is the non-linear operation. This is 
followed by an iteration of the hnear operation followed by 
the non-linear operation. It is expected that a sufficiently safe 
system is achieved by performing six non-linear operations 
(i.e. using five rounds), provided that the linear operation 
40 mixes the data bits thoroughly. Preferably, 15 rounds are 
used. Each of the linear operations is the same. Also, each 
of the non-linear operations is the same, but each non-linear 
operation uses a different key of 128 bits. Advantageously, 
keys are derived from one global key of, for instance, 256 
45 bits, using a key schedule calculation. The same key is used 
for encryption as well as decryption. In most cases the key 
is provided iising a smart-card. For the linear operation, 
advantageously, instead of a permutation a more complex 
matrix is used. As described before, in addition to the key, 
50 each non-linear operation may, optionally, use a constant C 
of 128 bits, which is split in the constants p^ and dy. The 
constant may be the same for each operation. 
Advantageously, each non-linear operations is provided with 
a separate constant. The constants may be predetermined per 
55 system (e.g. a customer-specific constant). Alternatively, the 
constant is generated using a pseudo-random generator. 
What is claimed is: 

1. A program stored on a computer readable medium for 
cryptographically converting a digital input data block M 

60 into a digital output data block; said program configured to 
perform the steps of merging a selected part Ml of said 
digital input data block M with a first digital key Kl to 
produce a data block Bl which non-linearly depends on said 
selected part Ml and said first key Kl, and deriving said 

65 digital output block from said data block Bl and the remain- 
ing part of the input data block M; wherein said merging step 
is performed by executing a non-linear function g for 
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non-Unearly merging said selected part Ml and said first key 
Kl in a single step; wherein said merging step comprises the 
steps of splitting said selected part Ml in a first plurality n 
of sub-blocks mo, . . . , m„_i of substantially equal length; 
splitting said first key Kl in said first plurality n of sub-keys 5 

• ' • » substantially having equal length, the sub-key 
k,. corresponding to the sub-block m^-, for i«0 to n-1; 
separately processing each of said sub-blocks by execut- 
ing for each of said sub -blocks a same non-linear 
function h for non-linearly merging a sub -block b^ derived 
from said sub -block m^ with said corresponding sub -key k^ 
in one, sequentially, inseparable step and producing said first 
plurality of output sub -blocks h(b^, k^); and combining 
sub -blocks t, derived from said first plurality of said output 
sub-blocks h(b^., k.) to form said data block Bl; and wherein 
said function h(b,-, k,) is defined by: 



h (b, - 00-", 

h (b;, ki) « 0 



if bi 0, kj ^ 0, and b; k; 
if b[ = 0 
if ki - 0 
if b; = kj, 
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where the multiplication and inverse operations are pre- 
determined Galois Field multiplication and inverse 25 
operations. 

2. A program as claimed in claim 1, wherein deriving said 
sub -blocks t,. firom said output sub-blocks h(b^-, k,) comprises 
bit-wise adding a constant d,. to said output sub-block 
h(b„k,), said constant d^. substantially having equal length as 30 
said sub-block m^. 

3. A program as claimed in claim 2, wherein deriving said 
sub -blocks from said output sub-blocks h(b(,k^.) further 
comprises raising h(bj, k^)© d, to a power 2', using said 
predetermined Galois Field multiplication. 

4. A program as claimed in claim 1, wherein said sub- 
block m,- comprises eight data bits, and wherein said mul- 
tiplying of two elements b and c of GF(2^ comprises 
executing a series of multiplications and additions in 
GF(2'*). 40 

5. A program as claimed in claim 4, wherein said multi- 
plying of said two elements b and c comprises: 

representing b as a^+aj-D and c as a2+a3.D, where ag, a^ 
a^ and ag are elements of GF(2'*), and where D is an 
element of GF(2^) defined as a root of an irreducible ^5 
polynomial k(x)=x^+x+p over GF(2''), where p is an 
element of GF(2'*); and 

calculating (aoa^+aja3p)+(aia2+aoa3+aja3).D. 

6. A program as claimed in claim 5, wherein p is a root of 
an irreducible polynomial h(x)-x''+x^+x^+x+l over GF(2). 

7. A program as claimed in claim 1, wherein said sub- 
block m,- comprises eight data bits, and wherein calculating 
the inverse of an element b of GF(2^ comprises performing 
a series of calculations in GF(2'^). 

8. A program as claimed in claim 7, wherein calculating 
the inverse of said element b comprises: 

representing b as ao+a^.D, where ao and aj are elements 
ofGF(2'^),and where D is an element of GF(2^) defined 
as a root of an irreducible polynomial k(x)=x^+x+p 
over GF(2'*), where p is an element of GF(2'*); and 

calculating (ag^+aQa j +a^^^)~ ^ ((a^+a j)+aiD). 



9. A processor for cryptographically converting a digital 
input data block M into a digital output data block; said 
processor comprising: 

first input means for providing said digital input data 
block M; 

second input means for providing a first digital key Kl; 

cryptographic processing means for converting the digital 
input data block M into the digital output data block; 
said conversion comprising merging a selected part Ml 
of said digital input data block M with said first key Kl 
and producing a data block Bl which non-linearly 
depends on said selected part Ml and said first key Kl, 
said digital output data block being derived from said 
data block Bl and the remaining pan of the digital input 
block M; and 

output means for outputting said digital output data block; 
characterized in that said cryptographic processing 
means is arranged to perform said merging by execut- 
ing a non-linear function g for non-linearly merging 
said selected part Ml and said first key Kl in a single 
step wherein said merging step comprises the steps of 
splitting said selected part Ml in a first plurality n of 
sub -blocks mo, . . , , m„_-i of substantially equal length; 
splitting said first key Kl in said first plurality n or 
sub -keys ko, • . . , k„_i, substantially having equal 
length, the sub-key k,- corresponding; to the sub -block 
m,-, for i=0 to n-1; separately processing each of said 
sub -blocks m, by executing for each of said sub -blocks 
m^ a same non-linear function h for non-linearly merg- 
ing a sub -block b^- derived from said sub-block m^ with 
said corresponding sub -key k,- in one, sequentially 
inseparable step and producing said first plurality of 
output sub-blocks h(b„ k,); and combining sub-blocks 
t, derived from said first plurality of said output sub- 
blocks h(bj, k.) to form said data block Bl wherein said 
function h(b^, k^) is defined by: 



hCb, ki) = (b,.^i)-\ 

h(b, ko-(k,r. 

h (bi. kj - (bi)-^ 
h (b„ kO - 0 



if bi 1* 0, ki ^ 0, and bt ki 
if bi-0 
if kj = 0 
ifb.oki, 
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where the multiplication and inverse operations are pre- 
determined Galois Field multiplication and inverse 
operations. 

10. A processor as claimed in claim 9, wherein said 
sub -block m, comprises eight data bits, and wherein said 
multiplying of two elements b and c of GF(2*) comprises: 

representing b as ao+a^.D and c as &^-i-a^X), where ao, a^, 
a^ and a.^ are elements of GF(2'^), and where D is an 
element of GF(2^) defined as a root of an irreducible 
polynomial k(x)=x^+x+p over GF(2'*), where p is an 
element of GF(2^); and 

calculating (aoa2+aja3p)+(aia2+aoa3+aja3).D; 

and wherein calculating the inverse of an element b of 
GF(2*) comprises calculating (ao^+aoa-,+a^^p)"^((ao+ 
aj)+aiD). 
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